County officials worry the data may have contained employees' names, Social Security numbers and other personal information, which had been used in recent audits performed by Hough, MacAdam & Wartnik LLC of North Bend.
Although, there have been no known reports of identity theft from any of the 482 employees notified, the computer has not been found and, according to a letter from the firm, thieves sometimes hold victims' information for later use.
According to a Coos Bay Police press log, at approximately 7:28 a.m. on March 5, officers received a report of a woman flagging down Officer Tony Wetmore, identified as 122 in the log, near Coos Bay City Hall. Crystal Albiar, 30, told Wetmore a laptop computer had been stolen from a vehicle, which, Wetmore said, belonged to Albiar. The victim is listed on the press log as Hough, MacAdam & Wartnik. Albiar is a senior accountant at the firm.
Later that day, a letter from the company was sent to clients stating that a "serious data security incident" may have involved clients' personal information.
"During the night of Tuesday, March 4, 2008, a notebook computer was stolen from a locked vehicle. The notebook's hard drive may have contained your name, Social Security number, and other personal information," the letter stated. "We have notified law enforcement about this incident. This notification included a general report alerting them to the fact that the incident occurred. However, we have not notified them about the presence of your specific information in the data breach."
The letter went on to tell recipients to take preventative measures to avert and detect any misuse of information. These steps included closely monitoring financial accounts; contacting financial institutions if unauthorized activity was detected; and placing a fraud alert on credit files.
Those who discovered suspicious activities on their credit reports were urged to file police reports and complaints with the Federal Trade Commission.
A public accounting firm, Hough, MacAdam & Wartnik is locally owned by Jim Hough, Shirley MacAdam and Jayson Wartnik. It opened in July 2004, following the acquisition of the office from Moss Adams LLP. The business dates back to the 1940s.
Via an e-mail correspondence with The World, Shirley MacAdam said the March 5 letters were sent to the 482 employees of four clients - only one of which was a public agency. She demurred from identifying the clients involved, but further investigation revealed the County and South Coast Hospice & Palliative Care in Coos Bay are among the four.
MacAdam said it is possible the four data files from the four clients contained Social Security numbers and addresses of some of the employees on the laptop.s hard drive. Some of the information could have been on the laptop since October 2007. The CPA said the computer was password protected, as were certain files. Some of the information contained in the programs require "special knowledge in order to find the personal information inside of the program," she added.
When MacAdam and other members of the firm learned the computer had been stolen, their first priority was to identify affected clients and to notify them of potential risks. This was done within 24 hours of the theft, she said.
"Our concern was to ensure that we are taking all actions that we should as prudent business people, in addition to complying with all regulations regarding proper and timely notification," MacAdam wrote to The World. "We informed them of the actions they and their employees needed to take. Due to the nature of our work and our internal policies, no client information other than audit data is ever stored on a laptop, so there is no concern that any other client information might be on the stolen laptop."
Audit data, MacAdam explained, includes check registers, accounting ledgers, trial balances, spreadsheets and account reconciliations that clients prepare for CPAs to assist them in their work.
The firm has since revisited its internal information technology security policy and implemented changes such as increased frequency of password changes, more complex passwords and encryption software when applicable. Additional training also was provided to Hough, MacAdam & Wartnik staff regarding the security policy, MacAdam said.
While no reports of identity theft or fraud have been made to the firm, MacAdam said the impacts of the theft have been felt by clients as well as by the firm.
"The impact we are aware of is primarily time our clients have spent communicating with their employees (meetings and conversations regarding follow-up procedures and addressing employee concerns)," MacAdam wrote. "Financial costs related to this loss of work time and/or any security services that have been offered to these employees will be reimbursed by HMW."
"The impact on HMW has been both time and financial as we took all steps necessary to inform the individuals affected and address all concerns brought to our attention."
MacAdam noted her firm has never experienced a data breach in the past and is still not aware if one has occurred.
The clients
County officials were apprised within 24 hours of the laptop theft. More than 300 employees who received paper paychecks from the county may have had their personal information on the laptop, said Coos County Commissioner Kevin Stufflebean.
"They informed us as soon as they thought they had a breach," Stufflebean said.
The personal information came from check registers that the accounting firm used to verify samplings of work hours, which is standard procedure in an audit, said Coos County Treasurer Mary Barton. She said, after hearing of the possible breach, the county has changed how reports, including check registers, are generated to exclude personal information.
Hough, MacAdam & Wartnik has a three-year contract with Coos County to perform its yearly audit. The firm was paid $48,000 in the first year of the contract, then received $750 raises during each of the following two years.
Information on the missing computer was left over from the county.s 2005-06 audit, Stufflebean said. There is a chance nothing was on the computer, he added.
"They didn't have confirmation that it was wiped off the computer," he said. "That's why they notified (employees)."
Coos County Counsel Jacki Haggerty said she had not received any reports from county employees of any unauthorized use of their information. Still, the incident will raise the level of awareness of possible breaches in the future, according to Haggerty.
"I think it's sobering." she said. "You don't think about it until something like this happens. This is kind of a wake-up call."
Both the county and Hough, MacAdam & Wartnik are in the process of changing how data is used to make sure no unnecessary personal information is released in future audits. Haggerty said she feels assured by the lengths the firm has gone in order to increase data security.
"They are taking certain steps ... including not requesting or accepting certain information," she said. On the list of banned data includes clients. Social Security numbers.
The 2007-08 audit may be the last year Hough, MacAdam & Wartnik will perform the work for the county, Stufflebean said. The county is scheduled to put the contract out to bid following this year.s audit. Stufflebean said it is standard practice and did not stem from the incident.
Employees of South Coast Hospice & Palliative Care also received copies of the March 5 letter from the accounting firm.
Carol Gardner, the administrative and personnel manager for South Coast Hospice, said Hough, MacAdam & Wartnik has audited the organization for approximately 10 incident-free years. In fact, Gardner said, the hospice's board of directors complimented the company for acting so promptly.
"It was one of those unfortunate faux pas," Gardner said of the theft. "This was an unusual situation and proper steps (were) taken to coach and correct that employee. That.s what we were told. Of course, we have good faith in them."
Representatives from the firm attended hospice board, staff and problem-solving meetings to handle questions about the potential data breach, she said. Additionally, the South Coast Hospice put yellow flags on its bank accounts and is doing a check-by-check reviews every day.
Learning that her information may have been compromised made Gardner immediately apprehensive when she received the March 5 letter. She and her colleagues called credit bureaus to flag their accounts. No more than 100 employees received the letter, she noted.
"It did scare me a little bit to think that somebody had access," Gardner said, adding her own son dealt with a four-year struggle after someone stole his identity. However, .Up to this point we have not heard of any repercussions from it.
"I feel that we were very fortunate because, as I understand (it), it's big business "things getting stolen out of vehicles ... " I think everyone needs to be aware not to leave anything of value in their vehicles."